b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                PUBLIC\n\n               RELEASE\n\n\n\n              OFFICE OF THE CHIEF\n\n             INFORMATION OFFICER\n\n           Use of Internet \xe2\x80\x9cCookies\xe2\x80\x9d and\n     \xe2\x80\x9cWeb Bugs\xe2\x80\x9d on Commerce Web Sites\n    Raises Privacy and Security Concerns\n            Inspection Report No. OSE-14257/April 2001\n\n\n\n\n                           Office of Systems Evaluation\n\n\x0cU.S. Department of Commerce                                                                  Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                                           April 2001\n\n\n                                                 TABLE OF CONTENTS\n\n\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n\n\nINTRODUCTION .......................................................................................................................... 1\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY........................................................................ 2\n\n\nFINDINGS AND RECOMMENDATIONS................................................................................... 4\n\n\nI.    Unauthorized Internet Cookies Were Found on Department Web Sites................................. 4\n\n      A. Recommendations........................................................................................................... 6\n\n\nII.   Use of Web Bugs Raises Privacy and Security Concerns....................................................... 7\n\n      A. Recommendations........................................................................................................... 7\n\n\nIII. Privacy Statements Should Be Modified to Comply with Department Policy ...................... 8\n\n     A. Recommendations........................................................................................................... 10\n\n\nAPPENDIXES \n\n   A. Department Web Pages Where Web Bugs Were Detected\n   B. CIO Response to Report\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                               April 2001\n\n\n                                            EXECUTIVE SUMMARY\n\n\nPersistent Internet \xe2\x80\x9ccookies\xe2\x80\x9d are data stored on web users\xe2\x80\x99 hard drives that can identify users\xe2\x80\x99\ncomputers and track their browsing habits. \xe2\x80\x9cWeb bugs\xe2\x80\x9d are software code that can monitor who\nis reading a web page. In addition to being able to track a user\xe2\x80\x99s browsing habits, web bugs can\nalso download files from and upload files to a user\xe2\x80\x99s computer. Although these technologies\nhave uses that do not raise privacy concerns, they are capable of being employed in a way that\nwould violate the privacy of individuals visiting the Department\xe2\x80\x99s web sites. Web bugs can also\nbe security threats.\n\nThis report documents our evaluation of the use of persistent Internet cookies and web bugs by\ndepartmental Internet sites, as well as the adequacy of the privacy statements posted on the main\nweb pages1 of the Department and its operating units. We conducted our evaluation in response\nto Public Law 106-554, the Consolidated Appropriations Act of 2001, which requires the\nInspector General of each department or agency to submit a report to the Congress disclosing\nany activity regarding the collection of information relating to any individual\xe2\x80\x99s access or viewing\nhabits on the department\xe2\x80\x99s or agency\xe2\x80\x99s Internet sites.2\n\nWe found that the majority of the Department\xe2\x80\x99s Internet sites do not use either persistent cookies\nor web bugs. However, we did find several instances in which persistent cookies were being\nused without a compelling reason or the approval of the Secretary of Commerce, as required by\nDepartment and Office of Management and Budget policy. (See page 4.) We also found a\nnumber of web pages using web bug technology. (See page 7.) At the time of our fieldwork,\nthe Department did not have a policy regulating web bug use. On April 24, the Chief\nInformation Officer (CIO) issued a memorandum entitled Use of \xe2\x80\x9cWeb Bugs\xe2\x80\x9d on Commerce\nWeb Sites, which establishes a policy for web bugs similar to that for persistent cookies. Finally,\nwe found that many of the operating units\xe2\x80\x99 privacy statements do not provide all of the\ninformation required by the Department\xe2\x80\x99s privacy policy. (See page 8.)\n\nWe recommend that the Department\xe2\x80\x99s CIO direct operating unit CIOs and senior management to\nimplement a strategy to control the use of persistent cookies and web bugs and to certify\nannually that the operating unit is in compliance with the Department\xe2\x80\x99s applicable policies. (See\npages 6 and 7.) We also recommend that the Department\xe2\x80\x99s CIO direct operating unit CIOs and\nsenior management to revise their privacy policy statements to make them compliant with the\nDepartment\xe2\x80\x99s privacy policy. (See page 10).\n\nWe discussed our findings with the Department\xe2\x80\x99s CIO on April 16, 2001. The CIO agreed with\nour findings, quickly promulgated a policy addressing the use of web bugs, worked with us to\nhelp ensure that the cookies we had identified were removed, and is now working to remove the\nweb bugs. Because the CIO agreed with the findings and recommendations, we are issuing this\nreport in final. The CIO\xe2\x80\x99s memorandum indicating his concurrence is included as Appendix B to\nthis report.\n\n\n1\n    A web page is an entry point, often called a home page, to a World Wide Web information site.\n2\n    An Internet site is a computer system hosting a collection of web pages on a particular subject.\n\n\n\n\n                                                            i\n\x0cU.S. Department of Commerce                                                       Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                               April 2001\n\n\n                                                 INTRODUCTION\n\n\nOn December 21, 2000, the President signed Public Law 106-554, the Consolidated\nAppropriations Act of 2001.3 Section 646 of the act requires the Inspector General of each\ndepartment or agency to submit a report to the Congress disclosing any activity regarding the\ncollection of information relating to any individual\xe2\x80\x99s access or viewing habits on the\ndepartment\xe2\x80\x99s or agency\xe2\x80\x99s Internet sites.4\n\nThis report documents our evaluation of the use of persistent Internet cookies and web bugs by\nDepartmental Internet sites, as well as the adequacy of the privacy statements posted on the main\nweb page5 of the Department and each operating unit. Persistent cookies are data stored on web\nusers\xe2\x80\x99 hard drives that can identify the users and track their browsing habits. Web bugs are\nsoftware code that can monitor who is reading a web page. In addition to being able to track a\nuser\xe2\x80\x99s browsing habits, web bugs can also download files from and upload files to a user\xe2\x80\x99s\ncomputer. Although these technologies have uses that do not raise privacy concerns, they are\ncapable of being employed in a way that would violate the privacy of individuals visiting the\nDepartment\xe2\x80\x99s web sites. Web bugs can also be security threats.\n\nPersistent Internet Cookies\n\nTo address Internet privacy concerns of users of government web pages, the Office of\nManagement and Budget (OMB) issued OMB Memorandum 00-13, Privacy Policies and Data\nCollection on Federal Web Sites, dated June 22, 2000. The memorandum states that government\nweb pages should not use Internet cookies without the approval of the agency head and that\ncookies can be used only if (1) the site gives clear and conspicuous notice, (2) there is a\ncompelling need to gather the data, and (3) appropriate and publicly disclosed privacy safeguards\nexist for handling any information so gathered.\n\nThe Department\xe2\x80\x99s Chief Information Officer (CIO) clarified OMB\xe2\x80\x99s policy to the operating unit\nCIOs in an October 20, 2000, memorandum, Use of \xe2\x80\x9cpersistent cookies\xe2\x80\x9d on Commerce Web\nSites. This memorandum distinguished between persistent cookies and session cookies. Because\npersistent cookies remain on users\xe2\x80\x99 hard drives after a browsing session is completed and can be\nused to track individuals\xe2\x80\x99 browsing habits, they are not allowed without Secretarial approval.\nSession cookies, which are not used to track the browsing habits of users, do not remain on\nusers\xe2\x80\x99 hard drives and are permitted if their use is disclosed in the web page privacy statement.\n\nThe CIO\xe2\x80\x99s memorandum assigns to operating unit CIOs the responsibility for ensuring that\npersistent cookies are not used to collect personal information and track the browsing habits of\n\n\n\n\n3\n The law comprises several appropriations measures, including the Departments of Treasury, Labor, Health and\nHuman Services, and Education, and Related Agencies Appropriations Act, 2001.\n4\n    An Internet site is a computer system hosting a collection of web pages on a particular subject.\n5\n    A web page is an entry point, often called a home page, to a World Wide Web information site.\n\n\n\n                                                             1\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-14257\nOffice of Inspector General                                                              April 2001\n\nDepartment web page users. If an operating unit requires the use of persistent cookies, it must\nsubmit a request describing the compelling need to the Secretary of Commerce through the\nDepartment\xe2\x80\x99s CIO and provide a copy of the web page privacy statement that discloses how the\ninformation derived from persistent cookies will be used.\n\nOn January 11, 2001, Commerce\xe2\x80\x99s CIO council adopted the Department\xe2\x80\x99s policy on the use of\npersistent cookies, which supercedes the CIO\xe2\x80\x99s October 20 memorandum. In general, this policy\nrestates the content of the CIO\xe2\x80\x99s memorandum and the OMB memorandum.\nAt the time of our fieldwork, no operating unit had submitted a request to the Secretary for\napproval to use persistent cookies on any Department web page.\n\nWeb Bugs\n\nA growing threat to both privacy and security is a technology known as web bugs. Web bugs are\ncapable of tracking web users\xe2\x80\x99 browsing habits, downloading files from users\xe2\x80\x99 computers, and\nstoring files on users\xe2\x80\x99 computers without their knowledge. Web bugs are invisible to a user\nwithout specific detection software. The software code associated with web bugs can exist on\nthe computer hosting the web page or on another computer connected to the Internet. When a\nuser views the web page, the results from the execution of the web bug are sent to the web user\xe2\x80\x99s\ncomputer and acted upon. The actions performed by a web bug that resides on a computer\noutside the control of the web page owner (i.e., non-departmental controlled computers) cannot\nbe certified to perform the intended action. For example, the code could have a hidden malicious\naction, such as to install an application on the user\xe2\x80\x99s computer to monitor and track information\nwhen interacting on the Internet or to assume control of the computer.\n\nBecause the use of web bugs is relatively new, neither OMB nor the Department had a policy\nregulating their use on government web pages. On April 24, after we brought this matter to his\nattention, the Department\xe2\x80\x99s CIO issued a policy for use of web bugs similar to that for use of\npersistent cookies.\n\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of this evaluation was to determine whether the Department\xe2\x80\x99s web pages comply\nwith Department and OMB policies regarding Internet privacy. Specifically, we evaluated the\nweb pages to determine if persistent cookies were being used, and we reviewed the adequacy of\nthe privacy statements posted on the main web pages of the Department and its operating units.\nWe expanded our scope to address web bugs since their use raises privacy concerns similar to\nthose raised by persistent cookies, as well as security concerns. To view the web pages of the\nDepartment and its operating units, we used Microsoft Internet Explorer configured to detect the\npresence of Internet persistent cookies. Additionally, we used a tool obtained from the\nUniversity of Denver Privacy Center, which we installed in Explorer, to detect the presence of\nweb bugs.\n\n\n\n\n                                               2\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-14257\nOffice of Inspector General                                                              April 2001\n\nIn discussions held with the Department\xe2\x80\x99s CIO staff and operating unit CIOs and staff as we\nplanned our evaluation strategy, we found that reliable data was not available on the number of\nweb sites or web pages in the Department. This is the case, in part, because the operating unit\nCIOs do not control many of the departmental web sites. Instead, a significant number of web\nsites are controlled by line organizations within the operating units. Therefore, our evaluation\nstrategy was to start with the main Department web site, along with the main web site for each of\nthe operating units, and systematically assess them. For each web page, this involved spending\nseveral minutes making selections to obtain information available on that web page and then\nvisiting other web pages that were referenced by the initial web page under evaluation. While\nour evaluation could not be exhaustive in terms of assessing every Department web page, we\nbelieve that our work provides an important indication of the challenges of complying with\nprivacy requirements on federal web sites.\n\nWe conducted our fieldwork between February and April 2001, holding an entrance conference\nwith the Department\xe2\x80\x99s CIO on February 14, and meeting with him again on April 16 to discuss\nour findings. Because the CIO concurred with our findings and recommendations, we are\nissuing this report in final.\n\nThis evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Department Organization Order 10-13,\ndated May 22, 1980, as amended.\n\n\n\n\n                                                3\n\n\x0cU.S. Department of Commerce                                              Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                      April 2001\n\n\n\n\n                            FINDINGS AND RECOMMENDATIONS\n\n\nI.\t     Unauthorized Internet Cookies Were\n        Found on Department Web Sites\n\nOur evaluation detected 12 unauthorized persistent cookies on Department web pages in\nviolation of both Department and OMB policy. Four of the cookies are what are known as\nclient-side state cookies, and the other eight are known as third-party cookies. While privacy\nissues are a concern with both types of cookies, the presence of third-party cookies is especially\nserious because the data they collect is completely out of the Department\xe2\x80\x99s control.\n\nClient-side state cookies are used by web pages to store small amounts of information on the\nuser\xe2\x80\x99s hard drive and exchange it with the web server each time the web page is visited. At\npresent, the primary privacy threat is the ability to actively track web visitors by assigning a\nunique tag that is stored in the cookie and maintained by the web site. Thus, every time the web\nuser visits the web page, the unique tag stored in the cookie is matched with a tag stored in a\ndatabase on the web site, resulting in browsing habit information being captured and maintained\non specific web users. In our discussions with the officials responsible for the web sites, we\nwere told that one was using a client-side cookie to identify new web site visitors, while the\nothers were not obtaining any specific user information.\n\nThird-party cookies raise additional privacy concerns. They are commonly associated with\ngraphic images referenced in the HTML6 code for a web page. These images actually reside on\nanother computer connected to the Internet. As the HTML code is executed to present the user\nwith the display of the web page, the images are retrieved from the third-party computer and\ndisplayed on the user\xe2\x80\x99s computer, third-party cookies are stored on the user\xe2\x80\x99s computer, and\nbrowsing habit information is captured and maintained on the third-party computer in a way\nsimilar to client-side cookies. The third-party cookies we detected were associated with non\xc2\xad\ngovernment computers, resulting in the storage of any captured privacy information on\ncomputers over which the Department has no control. Unless users specifically configure their\nbrowsers to alert them to cookies, the information is sent and received without user knowledge\nor involvement.\n\nThe 12 persistent cookies that we detected are discussed below:\n\nClient-State Persistent Cookies\n\n\xe2\x80\xa2\t Found on the web page http://oamweb.osec.doc.gov, hosted by the Office of Acquisition\n   Management within the Office of the Secretary, with an expiration date of December 31,\n   2010. According to this office, the cookie was being used to count the number of visitors to\n   the site and was not capturing any privacy information. After being informed that the cookie\n   violated Department and OMB policy, the office removed it.\n\n\n6\n HTML stands for Hyper Text Markup Language, the language used to create web documents and to generate the\nweb page on a user\xe2\x80\x99s display.\n\n\n\n                                                     4\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-14257\nOffice of Inspector General                                                              April 2001\n\n\xe2\x80\xa2\t Found on the web page http://www.commits.doc.gov, hosted by the Office of Acquisition\n   Management within the Office of the Secretary, with an expiration date of December 31,\n   2010. According to this office, the cookie was being used to count the number of visitors to\n   the site and was not capturing any privacy information. After being informed that the cookie\n   violated Department and OMB policy, the office removed it.\n\n\xe2\x80\xa2\t Found on the web page http://www.osf.noaa.gov, hosted by the Next Generation Weather\n   Radar Operations Center within the National Weather Service (NWS), with an expiration\n   date of January 1, 2035. According to NWS officials, they were not aware of the existence\n   of the cookie because it was not part of the code associated with the web page. Rather, the\n   cookie was produced by the Microsoft Internet Information Server product, which is used to\n   support the center\xe2\x80\x99s web page operation. After we identified the cookie, NWS learned that a\n   default installation setting caused the server product to generate a persistent cookie and\n   changed the setting to eliminate the cookie. NWS told us that no privacy information was\n   captured through the use of the cookie.\n\n\xe2\x80\xa2\t Found on web page http://www.fakr.noaa.gov, hosted by the Alaska Regional Office of the\n   National Marine Fisheries Service, with an expiration date of December 31, 2010. The\n   cookie was being used to identify new visitors to the web site. After being informed that the\n   cookie violated Department and OMB policy, the office removed it.\n\nThird-Party Persistent Cookies\n\n\xe2\x80\xa2\t Found on web page http://sites.usatrade.gov/ctm, hosted by the U.S. and Foreign\n   Commercial Services within the International Trade Administration. The third-party web site\n   that created the cookie was located at netscape.com, and the expiration date was June 29,\n   3379. The cookie was being used to count the number of visitors to the web site. After\n   being informed that the cookie violated Department and OMB policy, the office removed it.\n\n\xe2\x80\xa2\t Found on web page http://www.mac.doc.gov/ftaa2005/index.htm, hosted by the Office of\n   NAFTA and Intra-American Affairs within the International Trade Administration. The\n   third-party web site that created the cookie was located at h2.humanclick.com, and the\n   expiration date was April 13, 2002. The purpose of the cookie is not known, and it has been\n   removed.\n\n\xe2\x80\xa2\t Found on web page http://www.ita.doc.gov/td/energy, hosted by the Office of Trade\n   Development within the International Trade Administration. The third-party web site that\n   created the cookie was located at h2.humanclick.com, and the expiration date was April 13,\n   2002. The purpose of the cookie is not known. After being informed that the cookie\n   violated Department and OMB policy, the office removed it.\n\n\xe2\x80\xa2\t Found four cookies on web page http://www.nmfs.noaa.gov/acquaculture.htm, hosted by\n   the National Marine Fisheries Service. The third-party web site that created the cookies was\n\n\n\n\n                                               5\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-14257\nOffice of Inspector General                                                                 April 2001\n\n      located at superstates.com, and their expiration date was December 31, 2010. The cookies\n      were being used to count the number of visitors to the web site. After being informed that\n      the cookies violated Department and OMB policy, the office removed them.\n\n\xe2\x80\xa2\t Found on web page http://seafood.nmfs.noaa.gov, hosted by the National Marine Fisheries\n   Service. The third-party web site that created the cookie was located at aaddzz.com, and the\n   expiration date was May 3, 2001. The cookie was being used to count the number of visitors\n   to the web site. After being informed that the cookie violated Department and OMB policy,\n   the office removed it.\n\nThe Department currently has a policy entitled Enforcement of Web Site Standards and Policies,\nrequiring the operating unit CIOs to certify annually to the Department\xe2\x80\x99s CIO that all web sites\nof their organization comply with the Department's web standards and policies. If any\ndeficiencies exist, the operating unit CIO is to provide a plan to bring the web sites into\ncompliance, and the Department\xe2\x80\x99s CIO is to determine whether the proposed approach is\nacceptable. The Department\xe2\x80\x99s CIO has the authority to shut down any site for non-compliance.\nWe believe that the certification should explicitly state whether persistent cookies are being used,\nand if so, indicate the compelling reason and whether Secretarial approval has been obtained.\nMost operating unit CIOs do not control all of the web pages of their unit. For those units, we\nbelieve that the certification regarding persistent cookies should be made by the head of the\noperating unit.\n\nThe Department and operating units must take aggressive steps to ensure that persistent cookies\nare not used on their web pages unless a compelling need can be demonstrated and Secretarial\napproval is obtained. Particular vigilance is needed to ensure that third-party cookies are not\nused.\n\nA.     Recommendations\n\nWe recommend that the Department\xe2\x80\x99s Chief Information Officer:\n\n1.\t      Reiterate the Department\xe2\x80\x99s policy on use of persistent cookies to all operating unit CIOs\n         and senior management.\n\n2.\t      Work with each operating unit\xe2\x80\x99s CIO and senior management to implement a strategy to\n         control the use of persistent Internet cookies to include:\n\n         a.\t Activities to monitor the use of persistent cookies on their web pages,\n\n         b.\t Definition of a periodic timeframe to perform monitoring activities, and\n\n         c.\t Annual certification by the senior management or CIO of each operating unit to the\n             Department\xe2\x80\x99s CIO that either no persistent cookies or only approved persistent\n             cookies are used on its web pages.\n\n\n\n\n                                                  6\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                April 2001\n\n\n\n\nII.\t    Use of Web Bugs Raises Privacy\n        and Security Concerns\n\nWe found web bugs on 23 web pages. The locations of these web bugs are listed in Appendix A.\nAs noted previously, because the use of web bugs is relatively new, the Department did not have\na policy to regulate their use at the time of our fieldwork, but has recently issued such a policy.\nThe privacy concern is that, like persistent cookies, web bugs can be used to track the web\nbrowsing habits of visitors to Department web page. Web bugs also present a security threat\nbecause they can be used to perform malicious actions against the computer systems used by\nweb page visitors.\n\nSome examples of the malicious actions that web bugs can perform include searching for the\nexistence of specific information, such as financial information, on a user\xe2\x80\x99s hard drive;\ndownloading files from a user\xe2\x80\x99s system; and uploading files onto a user\xe2\x80\x99s computer. A web user\nwould be unaware of the presence of web bugs without using detection software. Even if such\nsoftware were used, the malicious actions performed by identified web bugs could go\nundetected.\n\nIn all but a single instance, the web bugs that we detected exchanged information with non\xc2\xad\ngovernment computers. Thus, for all of the identified web bugs but one, the software executed\nby the web bugs resides on non-government computers. The fundamental risk to privacy and\ninformation security is the lack of Department control over the web bug software. Even if the\nweb bug software were determined by Department information security personnel to be safe to\nuse, the software is still not under Department control. Consequently, the software could be\nmodified without Department knowledge, and malicious actions could be inserted into the web\nbug code. Due to the limited scope of our review, we did not evaluate the web bugs that we\nfound for malicious actions.\n\nAs with persistent cookies, we believe that the certification of compliance with web standards\nand policies should explicitly state whether web bugs are being used, and if so, indicate the\ncompelling reason and whether Secretarial approval has been obtained. In operating units where\nthe CIO does not control all of the web pages, the certification regarding use of web bugs should\nbe made by the head of the operating unit. Finally, the Department and operating units must\naggressively ensure that web bugs are not used on their web pages unless a compelling need can\nbe demonstrated and Secretarial approval is obtained.\n\nA.     Recommendations\n\nWe recommend that the Department\xe2\x80\x99s Chief Information Officer:\n\n1.\t Ensure that all web bugs found by our evaluation, as well as any other web bugs, are\n    removed from Department web pages.\n\n2.\t Reiterate the Department\xe2\x80\x99s policy on use of web bugs to all operating unit CIOs and senior\n    management.\n\n\n\n                                                 7\n\n\x0cU.S. Department of Commerce                                                   Final Inspection Report OSE-14257\nOffice of Inspector General                                                                           April 2001\n\n\n\n3.\t Work with each operating unit\xe2\x80\x99s CIO and senior management to implement a strategy to\n    control the use of web bugs to include:\n\n        a.\t Activities to monitor the use of web bugs on their web pages,\n\n        b.\t Definition of a periodic timeframe to perform monitoring activities, and\n\n        c.\t Annual certification by the senior management or CIO of each operating unit to the\n            Department\xe2\x80\x99s CIO that either no web bugs or only approved web bugs are used on its\n            web pages.\n\nIII.\t   Privacy Statements Should Be Modified\n        to Comply with Department Policy\n\nOur review of the privacy statements posted on the Department\xe2\x80\x99s and operating units\xe2\x80\x99 main web\npages revealed that the majority do not comply with Department policy. The Department\xe2\x80\x99s CIO\nCouncil approved the policy entitled Privacy Statements and Information Collection on\nSeptember 14, 2000.7 The policy requires that the information collection practices be described\nin terms of (1) what information is collected, (2) how long information is retained, (3) how the\ninformation is used, (4) how e-mail messages are handled, and (5) what use, if any, is being\nmade of Internet cookies. In addition, the link from a web page to the privacy statement should\nbe clearly labeled.\n\nTable 1 identifies which elements of the privacy statements that we examined comply with the\nDepartment\xe2\x80\x99s privacy policy. Of the 23 privacy statements we reviewed, we found the following\nfive to be compliant: Department, Office of the Secretary, Economic Development\nAdministration, National Institute of Standards and Technology, and Office of Inspector General.\nThe privacy statements of the Bureau of Export Administration and the Bureau of Economic\nAnalysis partially address the policy in terms of generally defining the kinds of information\ncollected but do not precisely describe this information. Two elements of the Economic\nDevelopment Administration\xe2\x80\x99s statement are marked as not applicable because the privacy\nstatement indicates that its web pages do not collect any information from web visitors.\n\nThe web pages for the Technology Administration and the Office of Technology Policy do not\nclearly identify the link to their privacy statements. For both of these web pages, the link used to\nobtain the privacy statement is labeled as \xe2\x80\x9cCredits and Disclaimers.\xe2\x80\x9d The Department\xe2\x80\x99s policy\nstates that the link to a privacy statement must be clearly labeled.\n\n\n\n\n7\n Because of our limited scope, we did not evaluate the privacy statements on pages beyond the operating units\xe2\x80\x99\nmain web pages.\n\n\n\n                                                        8\n\n\x0cU.S. Department of Commerce                                               Final Inspection Report OSE-14257\n\nOffice of Inspector General                                                                       April 2001\n\n\n\n\n\n                                           Table 1\n\n                  Status of Department and Operating Unit Privacy Statements\n\n\n                                                                                                    Internet\n                                          Information      Information   Information   E-Mail\n             Organization                                                                           Cookie\n                                          Collected        Retention     Use           Handling\n                                                                                                    Use\nDepartment of Commerce                        \xef\xbf\xbd                 \xef\xbf\xbd            \xef\xbf\xbd             \xef\xbf\xbd            \xef\xbf\xbd\nOffice of the Secretary                       \xef\xbf\xbd                 \xef\xbf\xbd            \xef\xbf\xbd             \xef\xbf\xbd            \xef\xbf\xbd\nBureau of Export Administration             Partial                          \xef\xbf\xbd             \xef\xbf\xbd            \xef\xbf\xbd\nEconomics and Statistics Administration       \xef\xbf\xbd                 \xef\xbf\xbd            \xef\xbf\xbd             \xef\xbf\xbd\nBureau of Economic Analysis                 Partial             \xef\xbf\xbd            \xef\xbf\xbd                         \xef\xbf\xbd\nBureau of the Census                          \xef\xbf\xbd                              \xef\xbf\xbd             \xef\xbf\xbd           \xef\xbf\xbd\nSTAT USA                                      \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd             \xef\xbf\xbd\nEconomic Development Administration           \xef\xbf\xbd               N/A           N/A            \xef\xbf\xbd           \xef\xbf\xbd\nInternational Trade Administration            \xef\xbf\xbd                              \xef\xbf\xbd\nMinority Business Development Agency\nNational Oceanic and Atmospheric\nAdministration                                 \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd\nNational Weather Service                                                      \xef\xbf\xbd\nNational Environmental Satellite, Data,\nand Information Service                        \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd\nNational Marine Fisheries Service              \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd\nNational Ocean Service                         \xef\xbf\xbd                              \xef\xbf\xbd            \xef\xbf\xbd           \xef\xbf\xbd\nNOAA Research                                  \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd\nNational Telecommunications and\n                                               \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd\nInformation Administration\nOffice of Inspector General                    \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd            \xef\xbf\xbd           \xef\xbf\xbd\nU.S. Patent and Trademark Office               \xef\xbf\xbd                              \xef\xbf\xbd            \xef\xbf\xbd           \xef\xbf\xbd\nTechnology Administration                      \xef\xbf\xbd                              \xef\xbf\xbd            \xef\xbf\xbd\nNational Institute of Standards and\n                                               \xef\xbf\xbd                \xef\xbf\xbd             \xef\xbf\xbd            \xef\xbf\xbd           \xef\xbf\xbd\nTechnology\nNational Technical Information Service         \xef\xbf\xbd                                           \xef\xbf\xbd           \xef\xbf\xbd\nOffice of Technology Policy                    \xef\xbf\xbd                              \xef\xbf\xbd            \xef\xbf\xbd\n\n\xef\xbf\xbd Indicates compliance with the specified policy element.\n\n       Denotes that the organization is fully compliant with all policy elements.\n\nN/A\xe2\x80\x93Not applicable\n\n\n\n\n                                                      9\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-14257\nOffice of Inspector General                                                              April 2001\n\nA. \t Recommendations\n\nWe recommend that the Department\xe2\x80\x99s Chief Information Officer:\n\n1.\t Direct the operating unit CIOs and senior management to ensure that appropriate changes are\n    made to their privacy statements so that they are compliant with the Department\xe2\x80\x99s privacy\n    policy.\n\n2.\t Direct the operating unit CIOs and senior management to ensure that all web page links to a\n    privacy statement are labeled as either \xe2\x80\x9cPrivacy Statement\xe2\x80\x9d or \xe2\x80\x9cPrivacy Notice.\xe2\x80\x9d\n\n\n\n\n                                               10\n\n\x0cU.S. Department of Commerce                                                 Final Inspection Report OSE-14257\nOffice of Inspector General                                                                         April 2001\n\n\n\n\n                                                                                                 APPENDIX A\n\n\n                          Department Web Pages Where Web Bugs Were Detected1\n\n\n                                  The Bureau of Export Administration\nwww.bxa.doc.gov\nwww.bxa.doc.gov/factsheets/facts3.htm\nwww.bxa.doc.gov/FOIA/PrivacyInfo.html\nwww.bxa.doc.gov/factsheets/ExporterAssistance.html\nwww.bxa.doc.gov/AntiboycottCompliance/OACRequirements.html\nwww.bxa.doc.gov/AntiboycottCompliance/OACAntiboycottRequestExamples.html\nwww.bxa.doc.gov/Seminars/SeminarDescription.htm\nwww.bxa.doc.gov/Seminars/elsem.htm\nwww.bxa.doc.gov/DPL\nwww.bxa.doc.gov/DPL/denialist.html\nwww.bxa.doc.gov/DPL/LastChanges.html\nwww.bxa.doc.gov/Enforcement/eeprogrm.htm\n\n                             International Trade Administration\nwww.trade.gov/td/tic/\nwww.ita.doc.gov/td/aerospace/\nwww.ita.doc.gov/td/energy/\ninfoserv2.ita.doc.gov/ot/home.nsf\nwww.ita.doc.gov/td/auto/\n\n                    National Oceanic and Atmospheric Administration\nseafood.nmfs.noaa.gov/\nwww.nmfs.noaa.gov/trade/Japan98SoftshellTurtleMarket.htm\nwww.nmfs.noaa.gov/trade/JAPAN98LIVEfishreport.htm\nwww.nmfs.noaa.gov/trade/Japan98SummerFlounder.htm\nwww.nmfs.noaa.gov/trade/EUCONTENTS.htm\n\n                            National Institute of Standards and Technology\nwww.nist.gov/success/\n\n\n\n\n1\n    All of the web bugs except for NIST\xe2\x80\x99s exchanged information with non-government computers.\n\n\n                                                      A-1\n\n\x0c\x0c"